b"\x0c           REVIEW OF THE\n      IMPLEMENTATION OF GSA\xe2\x80\x99S\nIT INFRASTRUCTURE SUPPORT SERVICES\n      CONSOLIDATION INITIATIVE\n   REPORT NUMBER A070113/O/T/F09007\n\n            June 18, 2009\n\x0c                u.s. GENERAL SERVICES ADMINISTRATION\n                Office of Inspector General\n\n\n\nDate:\t         June 18,2009\n\nReply to       Gwendolyn A. McGowan\nAttn of:       Deputy Assistant Inspector General for Infonnation Technology Audits\n               (JA-T)\n\nTo:\t           Casey Coleman\n               Chief Information Officer (I)\n\nSubject:\t      Review of the Implementation of GSA's IT Infrastructure Support Services\n               Consolidation Initiative\n               Report Number A070 l13/0/T/F09007\n\nThis report presents a summary of the results of our audit of the General Services\nAdministration's (GSA) Infrastructure Technology Global Operations (GITGO) consolidation\ninitiative. The report highlights our audit findings and recommendations to the Agency's Office\nof the Chief Information Officer (OCIO) for improving the security, service, and cost validation\nof the consolidated infrastructure support services. With the GITGO initiative, the GSA OCIO is\nmoving the Agency toward a standard, enterprise-wide resource management framework to\nestablish and sustain effective and efficient infonnation technology (IT) infrastructure support\nservices. Accordingly, our review focused on risk areas where additional management attention\nmay be needed to ensure that lessons learned with GITGO are adequately addressed to support\nGSA's infonnation technology project management goals. We coordinated closely throughout\nthe audit with program officials responsible for the GITGO implementation and carefully\nconsidered controls for managing security, service, and costs associated with the infrastructure\nsupport services.      On March 30, 2009, we provided our preliminary findings and\nrecommendations in a presentation to you and your staff. We have incorporated infonnation that\nyou provided and a copy of our updated briefing slides is contained in Appendix A. Due to the\nsensitive nature of the detailed findings in the appendix, we are restricting distribution of that\ninfonnation to your office.\n\nBackground\n\nThe GITGO perfonnance-based task order was awarded to Catapult Technology, Ltd. on\nFebruary 28, 2007 for the purpose of consolidating GSA's IT infrastructure support services.\nWith GITGO, 40 existing contracts with approximately $59 million in annual infrastructure\nsupport costs were consolidated into a single contract valued at approximately $40 million\nannually. Program management, IT Service Desk/Help Desk, and local support services sub\xc2\xad\ntasks are firm fixed-priced, and client management services and network operations sub-tasks are\nlabor-hour contract line items. The GITGO initiative is part of GSA's Exhibit 300 capital asset\nplan and business case for enterprise infrastructure. The Exhibit 300 is required to coordinate\nOffice of Management and Budget's (OMB) collection of agency infonnation to ensure the\n\n\n                     241 18th Street 5., CS4, Suite 607, Arlington, VA 22202-3402\n\n                           Federal Recycling Program   -0   Printed on Recycled Paper\n\x0cbusiness case for investments are made and tied to the Agency\xe2\x80\x99s mission statements, long-term\ngoals and objectives, and annual performance plans. GSA\xe2\x80\x99s phased implementation of GITGO\nservices started with the contract award 12-month base period and continues with four 12-month\noption periods to consolidate the IT infrastructure support services. Expected benefits from the\nGITGO initiative to consolidate GSA\xe2\x80\x99s internal contracts for desktop computing, networking,\nmessaging and other services were: (1) combining 40 disparate contracts into one consolidated\ncontract; (2) enhancing efficiency by aligning functions performed by multiple organizations and\nlocations; (3) establishing consistent IT infrastructure levels of service throughout GSA; (4)\nestablishing a consolidated help desk for all IT infrastructure issues; (5) improving management\ncontrols over funding for IT infrastructure, as funding will be consistently documented and\nanalyzed; and (6) simplifying enterprise efforts such as implementing new software versions,\nresponding to various security issues, and maintaining asset inventories.\n\nObjective, Scope, and Methodology\n\nOur audit objective was to assess whether risks with GSA\xe2\x80\x99s consolidation of IT support services\nhave been adequately mitigated by determining if: (1) the GSA Infrastructure Technology\nGlobal Operations (GITGO) initiative for IT infrastructure support consolidation is generating\nexpected cost savings and other benefits; (2) GSA\xe2\x80\x99s consolidated IT Service Desk is operating\neffectively, efficiently, and securely; and (3) GSA and the GITGO contractor are developing and\nimplementing Information Technology Infrastructure Library (ITIL) processes to align IT\nsupport services to customer needs. If not, what changes are needed to ensure successful\nimplementation of the GITGO initiative?\n\nWe gathered and analyzed information related to security, IT Service Desk operations, and\ninfrastructure support services costs, which included the GITGO performance work statement\n(PWS), deployment of the ITIL framework, funding and justifications, strategic goals and\nobjectives, standard operating procedures, performance measures, and service level agreements\n(SLA).\n\nWe met with GITGO officials and customers from the Federal Acquisition Service (FAS), Public\nBuildings Service, and Office of Governmentwide Policy. We also met with GITGO contractor\npersonnel and FAS officials responsible for the Information Technology Infrastructure Line of\nBusiness. We visited the GITGO IT Service Desk in Chambersburg, PA for an overview of\noperations. For our IT security assessment, we relied on commercial tools and agreed-upon-\nprocedures in place with the GSA Chief Information Officer (CIO) to evaluate operations at the\nUnicenter Service Desk in St. Louis, MO. In January 2009, we also reviewed a limited sample\nof service desk tickets that included active tickets, tickets referred by FAS personnel, and tickets\nassociated with malicious code.\n\nWe considered applicable statutes, regulations, policies, operating procedures, and industry best\npractices regarding the development and implementation of the GITGO infrastructure\nconsolidation such as: the PWS for the General Services Administration Office of the Chief\nInformation Officer (OCIO) GSA Infrastructure Technology Global Operations, awarded\nFebruary 2007, Task Identification Number A06S47T0040; GSA Information Technology (IT)\nSecurity Policy, CIO P 2100.1D, June 2007; National Institute of Standards and Technology\n\n\n\n                                                 2\n\x0c(NIST) Special Publication (SP) 800-61, Revision 1, Computer Security Incident Handling\nGuide, March 2008; GSA Information Technology (IT) Capital Planning and Investment\nControl, CIO 2135.2A, September 2006; GSA Information Technology (IT) Capital Planning\nand Investment Control, CIO 2135.2B, November 2008; GSA Information Technology (IT)\nGovernance, CIO 2130.1, November 2008; Gartner Toolkit: IT Service Desks Must Understand\nthe Importance of First Contact Resolution, June 2007; OMB M-05-23 \xe2\x80\x93 Improving Information\nTechnology (IT) Project Planning and Execution, August 2005; OMB M-05-04 \xe2\x80\x93 Policies for\nFederal Agency Public Websites, December 2004; ITIL Service Support Version 2.6, 2000; ITIL\nService Delivery Version 2.4, 2001; GSA IT Strategic Plan 2009 - 2011, August 2007; The\nClinger Cohen Act of 1996; and OMB A-94 \xe2\x80\x93 Guidelines and Discount Rates for Benefit-Cost\nAnalysis of Federal Programs, October 1992.\n\nThis audit work began in February 2007 and was completed by February 2009. We conducted\nour audit work in accordance with generally accepted government auditing standards. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objective. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objectives.\n\nResults in Brief\n\nThe expected benefits for implementing GITGO include the establishment of consistent IT\ninfrastructure levels of service throughout GSA, a consolidated service desk/helpdesk for all IT\ninfrastructure issues, and improvement of management controls for funding IT infrastructure.\nOur review identified findings related to security, service, and cost validation risks that could\nhinder long-term success for GITGO if not adequately addressed. We have identified security\ncontrols that need to be strengthened in the areas of web application, database, and operating\nsystem platform security in response to results of technical scanning and other testing.\nSpecifically, important risk management activities for the Unicenter Service Desk infrastructure,\nincluding certification and accreditation, the assignment of an Information System Security\nOfficer (ISSO), and completion of an IT contingency plan should be prioritized. We also found\nthat comprehensive procedures are not yet in place for service desk handling of security\nincidents, and audit trails for the remote support solution used by the IT Service Desk are not\nbeing analyzed for suspicious activity. An official GSA governance body should be utilized to\nreview and approve changes to service level agreements as needed to monitor the performance of\nthe infrastructure support processes. The IT Infrastructure Library (ITIL) is the selected IT\nservice management framework for GITGO. However, a GITGO-specific ITIL plan, with\nmilestones, is needed for guiding the development and implementation of ITIL disciplines for\nimproving GSA\xe2\x80\x99s IT infrastructure services. Enhanced procedures are needed for the\nconsolidated IT Service Desk to improve day-to-day operations. Since procedures were not\nadequate for verifying the pre-consolidation cost baseline information, the OCIO should improve\nthe cost validation process to ensure the accuracy of future cost baselines for monitoring\ninfrastructure support services. Taking steps to ensure improvements with GITGO at this time\nwill assist GSA in progressing toward more standardized processes, reliable infrastructure\nsupport services, and efficiencies in GSA operations. To address the identified risk areas, we\n\n\n\n\n                                                3\n\x0chave made specific recommendations for improving security, service, and cost validation for the\nGITGO initiative.\n\nSummary of Audit Findings\n\nCompletion of Important Risk Management Activities Could Provide Assurance of Required\nSecurity Controls\nSome technical control testing has been performed by system security officials at the Unicenter\nService Desk (USD); however, the USD infrastructure 1 is operating without assurance of key\nrisk management activities such as the completion of a certification and accreditation (C&A) of\nsystem security controls, the assignment of an Information System Security Officer, and the\ndevelopment of an IT contingency plan. Steps taken with GITGO to manage key C&A activities\nfor the USD infrastructure have not been sufficient to manage specific risks. GSA\xe2\x80\x99s IT Security\nPolicy establishes requirements for system authorization, system roles and responsibilities, and\nIT contingency planning. Without the completion of these key risk management activities,\nsystem security officials may not be able to determine the extent to which the controls are\nimplemented correctly, operating as intended, and producing the desired outcome with respect to\nmeeting the security requirements for the USD infrastructure.\n\nVulnerabilities Identified Could Be Mitigated Through More Secure Configurations for Portions\nof the IT Service Desk Infrastructure\nOur tests found specific instances of vulnerabilities that could be mitigated through more secure\nconfigurations for the USD infrastructure. GSA\xe2\x80\x99s IT Security Policy establishes detailed\nrequirements for ensuring adequate protection of GSA IT resources. However, hardening\npractices for the IT Service Desk were not adequate to comprehensively address risks in web\napplications, databases, and operating systems. Additionally, key IT security requirements were\nnot addressed in the performance measures included in the Performance Work Statement. These\nvulnerabilities could expose the USD infrastructure to undue risks affecting the confidentiality,\nintegrity, or availability of the IT Service Desk. The details of these vulnerabilities are security\nsensitive and have been provided in Appendix A.\n\nAdditional Guidance Could Better Equip the IT Service Desk with IT Security Incident Handling\nResponsibilities\nWe identified weaknesses with security incident handling for the IT Service Desk in the areas of\nincident reporting and incident mitigation. These weaknesses had two contributing causes. First,\ncomprehensive procedures are not yet in place to guide service desk handling of security\nincidents. Second, GITGO security officials determined that service desk personnel were not\nassigned significant security responsibilities and, therefore, were not required to complete role-\nbased training provided under GSA\xe2\x80\x99s IT Security Program. While all service desk personnel\nmust complete GSA\xe2\x80\x99s IT Security Awareness training to maintain their GSA email accounts, this\nbasic training does not address all security incident handling responsibilities for service desk\npersonnel. The GSA-CIO has issued a procedural guide that documents the required incident\nhandling process for all users of GSA IT resources, including contractor personnel who have\n\n\n  1\n      For the purpose of this report, the USD infrastructure refers to the servers and applications supporting the IT\n      Service Desk in St. Louis, MO.\n\n\n\n                                                           4\n\x0caccess to GSA resources, or otherwise provide services to GSA that handle or process GSA data.\nWithout a comprehensive incident handling capability, GSA may not be able to effectively\nmitigate the exploited weaknesses. The details of these weaknesses are sensitive in nature and\nare included in Appendix A.\n\nMonitoring Audit Trails for the Remote Access Solution Could Assist in Detecting and Deterring\nPotential Unauthorized Activity\nAudit trails for the remote support solution used by the IT Service Desk personnel were not\nanalyzed for suspicious activity. GSA\xe2\x80\x99s IT Security Policy states that audit records must be\nreviewed frequently for signs of unauthorized activity and other security events. This is an\nimportant security control since audit trails are used to deter and detect unauthorized access to\ncomputer systems and to help reveal potential misuse. However, system officials stated that they\nwere uncertain regarding which activities should be analyzed in the available audit trails. By not\nanalyzing audit trails, unauthorized activity or other potential security breaches may not be\navoided or detected.\n\nSenior Management Review and Approval Could Improve Service Level Agreements\nUnder GITGO, service level agreements (SLA) are used for incentivizing certain metrics,\nincluding the performance of the IT Service Desk. SLAs document the boundaries and service\nlevel goals of the agreed-upon services that will be provided to a specific customer, and sets\nforth specific penalties if the service provider fails to provide the agreed-upon services or to meet\nthe agreed-upon goals. The SLAs for GITGO were revised to modify the definition of First\nContact Resolution to count tickets that have been dispatched correctly as resolved. According\nto Gartner 2 , First Contact Resolution is \xe2\x80\x9cthe most fundamental of all metrics.\xe2\x80\x9d While a GSA\ngovernance body had a charter to review SLAs, the revised SLAs were negotiated but not\nformally approved. Further, the Information Technology Infrastructure Library (ITIL)\nrecommends the following for service level agreements: \xe2\x80\x9cGenerally speaking, the more senior\nthe signatories are within their respective organizations, the stronger the message of\ncommitment.\xe2\x80\x9d Without senior management approval, SLAs may not be incentivizing the most\neffective metrics for GITGO operations. Senior management, including stakeholders from\nGSA\xe2\x80\x99s Services, Staff Offices, and Regions may not be held accountable for the selection of\nmetrics for IT service support needs under GITGO.\n\nEstablishment of Milestones and Implementation Plan Needed to Realize Benefits from Selected\nIT Service Management Processes\nThe GITGO Performance Work Statement (PWS) states that GSA will adopt the following ITIL\nprocesses at a minimum: (1) Problem Management, (2) Incident Management, (3) Change\nManagement, (4) Release Management and (5) Configuration Management. We discussed these\nprocesses with the OCIO and documentation was provided on the status of ITIL for GITGO.\nHowever, this documentation does not include milestones to develop and guide the\nimplementation of selected ITIL processes. Our analysis identified that the reason milestones\nhave not yet been developed was that the PWS did not include milestones for oversight for the\nphased implementation of ITIL. New major IT projects in the Federal government are required\nto establish baselines with clear schedule and performance goals. Without a detailed\n\n\n  2\n      Gartner Toolkit: IT Service Desks Must Understand the Importance of First Contact Resolution, June 2007.\n\n\n\n                                                         5\n\x0cimplementation plan that considers such project management requirements, GSA may not be\nable to adequately address risks for GITGO ITIL implementation or meet important goals for\nstandardized processes and reliable infrastructure, as outlined in the GSA IT Strategic Plan.\n\nMore Consistent Response to Tickets Could Be Achieved Through Standard Procedures to Guide\nthe IT Service Desk Operations\nTrouble tickets are used by IT organizations to track the detection, reporting, and resolution of\nproblems reported by its customers. The GITGO IT Service Desk receives an average of 18,300\ntrouble tickets per month. We reviewed a sample of 75 tickets that included: 46 active tickets, 4\ntickets referred by Federal Acquisition Service personnel, and 25 tickets associated with\nmalicious code. Our analysis identified inconsistencies in IT Service Desk ticket handling,\nwhich may lead to inefficiencies. Specifically, service desk personnel did not consistently\nidentify related tickets, set ticket categories, or classify tickets as an issue or change order.\nFurther, we identified tickets that were not resolved in a timely manner. These inconsistencies\nwere due to incorrect routing of tickets or procedures that were not comprehensive. A\nperformance objective stated in the PWS for the IT Service Desk is to deploy a consolidated,\nenterprise help desk resulting in a reliable delivery of service. In addition, the PWS states that a\ngoal for the GITGO initiative is to develop and deploy agency approved standard processes.\nInconsistent handling of incidents by the IT Service Desk could lead to difficulty in analyzing\nthe effectiveness of IT Service Desk operations and may impact ability of the IT Service Desk to\nconsistently resolve trouble tickets in a timely manner.\n\nEnhancing the Process for Verifying Cost Baselines Associated with Infrastructure Support\nServices Could Improve Management Planning Decisions\nThe GSA-CIO has consolidated forty contracts with annual infrastructure support costs of\napproximately $59 million into a single contract at approximately $40 million annually with\nGITGO. Agency officials did not verify the accuracy of the pre-consolidation cost baseline and\ndid not conduct an independent validation for the baseline. This was due to OCIO procedures\nthat were not adequate for verifying the pre-consolidation cost baseline information. New major\nIT projects in the Federal government are required to ensure that cost, schedule, and performance\ngoals are independently validated for reasonableness. Reasonable baselines should be accurate,\nrelevant, timely, and complete. Additionally, OMB Circular A-94 stipulates that analyses should\nbe explicit about the underlying assumptions used to arrive at estimates of future benefits and\ncosts. These analyses should include a statement of the assumptions, the rationale behind them,\nand a review of their strengths and weaknesses. Redundant services may be in place because all\nservices under the pre-existing contracts were not verified for the pre-consolidation baseline. In\naddition, scope creep could occur if the baseline does not include all required infrastructure\nsupport services. We were unable to examine GITGO costs in detail from the capital asset plans\nand business cases submitted in 2007 and 2008 to OMB because IT infrastructure support costs\nfrom GITGO were not delineated from overall IT infrastructure costs. The OCIO stated that they\nhave been tracking the costs for the GITGO initiative since its award. To improve the cost\nvalidation process, the OCIO should improve the process for verifying this cost information to\nbetter ensure the accuracy of future cost baselines necessary for monitoring infrastructure\nsupport services.\n\n\n\n\n                                                 6\n\x0cRecommendations\n\nWe recommend that the General Services Administration, Chief Information Officer (GSA-CIO)\nimprove GSA Infrastructure Technology Global Operations (GITGO) security controls by:\n\n   1. Enhancing IT security management of key certification and accreditation activities for the\n      Unicenter Service Desk (USD) infrastructure to include:\n         a. Completing the required certification and accreditation.\n         b. Assigning an Information System Security Officer (ISSO).\n         c. Developing an IT contingency plan in accordance with the IT Security Policy.\n\n   2. Addressing the security vulnerabilities for the USD infrastructure to include:\n         a. Mitigating the identified vulnerabilities.\n         b. Enhancing hardening procedures for web applications, databases, and operating\n            system platforms.\n         c. Ensuring that IT security performance measures allow for adequate oversight of\n            the IT Service Desk by incorporating key requirements into the contracting\n            process.\n\n   3. Improving the handling of IT security incidents by the IT Service Desk to include:\n         a. Establishing comprehensive procedures for handling IT security incidents,\n            including procedures for reporting and mitigating IT security incidents.\n         b. Ensuring that IT Service Desk personnel have training in their specific\n            responsibilities for handling IT security incidents.\n\n   4. Analyzing remote support solution audit trails for unauthorized activity and other security\n      events.\n\nWe recommend that the GSA-CIO improve GITGO service delivery and support by:\n\n   5. Ensuring that a governance body reviews and approves the Service Level Agreements.\n\n   6. Providing additional oversight for the adoption of the Information Technology\n      Infrastructure Library (ITIL) to include developing milestones for the implementation of\n      the selected ITIL processes.\n\n   7. Enhancing procedures for IT Service Desk incidents to ensure that they are consistently\n      handled.\n\nWe recommend that the GSA-CIO improve infrastructure support services cost monitoring by:\n\n   8. Improving the cost validation process to verify project costs.\n\n\n\n\n                                               7\n\x0cManagement Comments\n\nThe GSA-CIO concurred with all audit findings and recommendations. A copy of the CIO's\ncomments is provided in its entirety as Appendix B.\n\nInternal Controls\n\nThe objective of this review was to assess whether risks with GSA's consolidation of IT support\nservices have been adequately mitigated by determining if: (l) the GSA Infrastructure\nTechnology Global Operations (GITGO) initiative for IT infrastructure support consolidation is\ngenerating expected cost savings and other benefits; (2) GSA's consolidated IT Service Desk is\noperating effectively, efficiently, and securely; and (3) GSA and the GITGO contractor are\ndeveloping and implementing Information Technology Infrastructure Library (ITIL) processes to\nalign IT support services to customer needs. If not, what changes are needed to ensure\nsuccessful implementation of the GITGO initiative? This report states the need to strengthen\nspecific controls for GITGO security, services and cost validation to improve operations and\ncustomer satisfaction. This review did not address all of the expected benefits of the GITGO\ninitiative.\n\n\n\n\nI wish to express niy appreciation to you and your staff for your cooperation during the audit. If\nyou have any questions, please contact me or Gwen McGowan, Deputy Assistant Inspector\nGeneral for Information Technology Audits, on 703-308-1223.\n\n\n\n\nDonna p.fet~~\nAudit Manager, Information Technology Audit Office (JA-T)\n\n\n\n\n                                               8\n\n\x0c                                 REVIEW OF THE\n                            IMPLEMENTATION OF GSA\xe2\x80\x99S\n                      IT INFRASTRUCTURE SUPPORT SERVICES\n                            CONSOLIDATION INITIATIVE\n                         REPORT NUMBER A070113/O/T/F09007\n\n\n\n                    APPENDIX A \xe2\x80\x93 BRIEFING SLIDES TO THE OCIO\n\n\nDue to the sensitive nature of the detailed security information contained in this appendix, only\nreports provided to the Chief Information Officer (CIO) and appropriate officials of the Office of\nthe Chief Information Officer contain a copy of the briefing slides used to present detailed\ninformation to the CIO on March 30, 2009. Requests for copies of these slides should be\nreferred to Gwendolyn McGowan, Deputy Assistant Inspector General for Information\nTechnology Audits, or Donna Peterson-Jones, Audit Manager, on 703-308-1223.\n\n\n\n\n                                               A-1\n\x0c                  REVIEW OF THE\n             IMPLEMENTATION OF GSA\xe2\x80\x99S\n       IT INFRASTRUCTURE SUPPORT SERVICES\n             CONSOLIDATION INITIATIVE\n          REPORT NUMBER A070113/O/T/F09007\n\n\n\nAPPENDIX B \xe2\x80\x93 GSA CIO\xe2\x80\x99S RESPONSE TO THE DRAFT REPORT\n\n\n\n\n                        B-1\n\x0c                                  REVIEW OF THE\n                             IMPLEMENTATION OF GSA\xe2\x80\x99S\n                       IT INFRASTRUCTURE SUPPORT SERVICES\n                             CONSOLIDATION INITIATIVE\n                          REPORT NUMBER A070113/O/T/F09007\n\n\n\n                         APPENDIX C \xe2\x80\x93 REPORT DISTRIBUTION\n\n\n\nWith Appendix A                                                           Electronic Copies\n\nOffice of the Chief Information Officer (I)                                          3\n\nOffice of Enterprise Infrastructure (IO)                                             2\n\n\nWithout Appendix A\n\nAssistant Inspector General for Auditing (JA)                                        1\n\nDirector, Audit Operations (JAO)                                                     1\n\nAssistant Inspector General for Investigations (JI)                                  1\n\nInternal Control and Audit Division (BEI)                                            1\n\nAdministration and Data Systems Staff (JAS)                                          1\n\nRegional Inspector General for Auditing, National Capital Region (JA-W)              1\n\n\n\n\n                                                C-1\n\x0c"